Internet Protocol version 6 (IPv6) networks share the same underlying layer-2 physical network infrastructure among different users to transport IPv6 traffic. With growing user mobility, virtualization and wireless access technologies, enterprise networks are transporting traffic from more heterogeneous users than ever before. In private cloud and traditional data center deployments, the physical network is typically shared between different employees, contractors, partners and guest users of the same organizations. In public cloud deployments, the network is shared among users from different organizations or tenants.
Due to this shared nature of the underlying layer-2 network, the user traffic is vulnerable to threats by rogue users, hosts, routers or servers that gain unauthorized access. Once connected, the rogue user can sniff control and/or data packets from the authorized hosts, steal their identity and carry out different forms of attacks. Rogue users can unleash man-in-the-middle attacks, denial-of-service (DoS) attacks, and replay attacks on the authorized hosts in the network.
IPv6 end hosts use the Neighbor Discovery Protocol (NDP) to exchange information with neighbors (other hosts or the routers) on the same link to prepare to transmit and receive network traffic. The key functions achieved by the ND Protocol are Router Discovery, Address Auto-configuration, Duplicate Address Discovery, Address Resolution, and Un-reachability Detection.
The above NDP exchanges are vulnerable to security threats. A rogue host can sniff the NDP exchanges between the legitimate end hosts and the routers on the link, silently listen to communications, steal identities and carry out various attacks.